At the end of September Facebook notified users of a massive data breach that compromised accounts of over 50 million users of the social network. This is shaping up to be a tough year as this second Facebook data breach comes hot on the heels of the Cambridge Analytica scandal in March.
The data breach occurred when hackers exploited a security weakness present in Facebook’s code since July 2017 to access the popular ‘View As’ feature which allowed users to get a view of what their profile looked like to other people. It resulted in the theft of automated log-in credentials (or “access tokens”), which make it easier for people to log into popular third-party apps and services via Facebook.
In layman’s terms, an access token is a unique string of letters and numbers that can be used to automatically log you in to other apps and websites, so you don’t have to keep entering your password.
According to Pravin Kothari, CEO at CipherCloud, “The hackers exploited three separate vulnerabilities which allowed [them] access to approximately 50 million user tokens.”
Facebook has taken remedial measures and continues to investigate the wider impact of the data breach.
At the moment, it does seem the damage may be limited. Said Guy Rosen, Facebook vice president of product management, “We have now analyzed our logs for all third-party apps installed or logged during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login.”
Not the first data breach in 2018 for Facebook
This is the latest privacy issue that the social media giant has been faced with – and 50 million seems to be a number that is proving unlucky for Facebook. In March 2018 the company was rocked by the so-called Cambridge Analytica scandal, where the voter-profiling company accessed data of about 50 million Facebook users. This led to investigations by the U.S. Federal Trade Commission and the Senate Commerce Committee, both of which demanded answers from Mark Zuckerberg.
Paul Bischoff, privacy advocate at Comparitech.com, commented: “There’s very little information to go on as of now, but it should be made clear that this is distinctly different from the Cambridge Analytica leak that made headlines a few months ago. This is a direct attack by hackers that exploited a vulnerability in Facebook’s ‘view as’ feature, which was designed to allow users to see their profile pages as a friend or stranger would. In contrast, the Cambridge Analytica incident resulted from the abuse of data that Facebook willingly provided.
“It’s surprising to me that as popular as Facebook is, no white hat hacker ever discovered and reported this flaw in the past, neither an external pen tester nor Facebook’s internal IT security team. I would be interested to know how long this flaw existed before it was discovered and exploited.”
Facebook data breach and the danger of shortcuts
Facebook continues to investigate the full extent of the data breach. However, it does appear that this is not only going to affect the Facebook experience of the users – in fact the impact could be far more wide ranging.
The vulnerability that allowed attackers to steal access tokens means that the data breach might very well have a ripple effect that reaches far beyond the borders of Facebook itself. It’s a potential backdoor to a whole ecosystem of third-party apps and websites. The tokens make it easier for people to log into popular apps and services like Spotify, Pinterest, or Yelp.
Dana Simberkoff, chief risk, privacy, and information security officer at enterprise security firm Avepoint summed up the dangers.
“It’s easy and convenient, but when you use shortcuts there can be consequences,” she says. “You should not use one app to log into another, because when one of those systems is compromised, everything else you interact with can be as well.”
Facebook proactive in the face of data breach
Facebook has been quick to respond to the data breach. Users were logged out of their Facebook accounts and the social media company notified those affected via their News Feed. The company also noted that those users who were logged out may not have been victims of the data breach. In a move that was precautionary in nature, Facebook logged out everyone who used the ‘View As’ feature. In a statement Facebook noted “We do not currently have any evidence that suggests these accounts have been compromised.” Users will now be required to log back in.
Facebook is also temporarily turning off the ‘View As’ feature while it conducts a “thorough security review.”
Facebook to reset access tokens for 90M accounts
On the 3rd of October Facebook posted an update on the security attack and announced that it would reset the access tokens of 90 million users accounts.
“This was a serious issue and we worked fast to protect the security of people’s accounts and investigate what happened,” the company said. “We fixed the vulnerability and we reset the access tokens for a total of 90 million accounts – 50 million that had access tokens stolen and 40 million that were subject to a ‘View As’ look-up in the last year. Resetting the access tokens protected the security of people’s accounts and meant they had to log back in to Facebook or any of their apps that use Facebook Login.”
Is the data breach an issue under the GDPR?
Many of the affected users call Europe home, so the ongoing issue will fall under the rules and regulations of the EU General Data Protection Regulation (GDPR). The full extent and impact of the data breach is still being investigated so it is difficult to gauge the extent to which Facebook might be excused of crossing some of the GDPR red lines. The GDPR makes provision for hefty fines when personal information is exposed. While there appears to be a possibility that those responsible for the Facebook data breach may have had access to personal messages and in that case, sensitive personal data may have been breached, it is simply too early to tell. Facebook was quick to state that no credit card information has been stolen.
Tim Erlin, VP, product management and strategy at Tripwire, points out that, “Inside the walls of Facebook, there has got to be concern over any GDPR related repercussions. This could be a real litmus test for the fledgling regulation.”
As the investigation proceeds, it will be extremely interesting to see how the regulatory authorities proceed and the impact this will have on both Facebook operations and whether it will inform future decisions under GDPR.
Pravin Kothari of CipherCloud commented further on the potential GDPR implications of the data breach, “Enforcement of GDPR will come from the Information Commissioner’s Office (ICO). What will their reaction be? Given the horrendous publicity from the Cambridge Analytica data exposures, the EU reaction is not easily predicted. Not knowing all of the detail of when the breach was discovered, who, exactly was impacted, who was responsible, etc., the possible outcomes may be worse than we know today. We’ll have to see what Facebook discloses about potential liability if any exists. The calculations of the potential fines under GDPR are a bit mind-boggling with any possible impact to millions of users.”
Facebook data breach points to failings
Could the problems that Facebook is now facing have been avoided? According to Satya Gupta, chief technology officer and co-founder at Virsec, the social media giant could have been more proactive in its approach.
“While the ‘View As’ feature sounds like a useful way to see what your profile looks like to your ex-girlfriend, it was clearly built without thinking through security. Instead of just seeing through someone else’s eyes, Facebook essentially lets you borrow their identity. Armed with someone else’s access token you can get to lots of private and highly privileged information. In addition, millions of people use their Facebook ID (authenticated through their access tokens) to connect to other services where they might be storing files, making purchases, or doing other things that they thought were private.
“These problems could easily have been avoided and services that prioritize security, like banks, hospitals and even airlines rarely make these basic mistakes. It’s a bad idea to let users stay logged on indefinitely while there is no activity. Many people will open a Facebook browser tab and not close it for hours or days while doing other things. If you’re logged into your banking site and are inactive for more than a few minutes you are automatically logged off and need to re-authenticate. This is a small burden for users and a no-brainer for security. There are also solutions that provide continuous authentication requiring users to confirm their identity if there is any unusual behavior.”
Hard year for Facebook
The takeaways from the data breach are possibly best summed up by Adam Levin, Founder of CyberScout and author of “Swiped” who said:
“Facebook has had a hard year, and it just got worse. In a world dominated by trillion-dollar advertising platforms consisting of multi-billion member communities, 50 million users may no longer seem like a big deal, but it is. The number of people affected by this breach is roughly equal to the entire population of the west coast of the United States.
“The latest Facebook breach was caused by an upgrade. The takeaway is simple: Any changes made to networks, software and other systems must be immediately and continually tested and monitored for vulnerabilities. The traditional ‘patch and pray’ approach to cybersecurity is obsolete. An effective vulnerability management program is crucial.”